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Abstract. We analyze the security of the authentication code against pollution attacks in 
network coding given by Oggier and Fathi 1 1| and show one way to remove one very strong 
condition they required. Actually, we find a way to attack their authentication scheme. In 
their scheme, they considered that if some malicious nodes in the network collude to make 
pollution in the network flow or make substitution attacks to other nodes, they thought 
these malicious nodes must solve a system of linear equations to recover the secret param- 
eters. Then they concluded that their scheme is an unconditional secure scheme. Actually, 
note that the authentication tag in the scheme of Oggier and Fathi is nearly linear on the 
messages, so it is very easy for any malicious node to make pollution attack in the network 
flow, replacing the vector of any incoming edge by linear combination of his incoming vec- 
tors whose coefficients have sum 1 . And if the coalition of malicious nodes can carry out 
decoding of the network coding, they can easily make substitution attack to any other node 
even if they do not know any information of the private key of the node. Moreover, even 
if their scheme can work fruitfully, the condition in their scheme H < M in a network can 
be removed, where H is the sum of numbers of the incoming edges at adversaries. Under 
the condition H < M, H may be large, so we need large parameter M which increases the 
cost of computation a lot. On the other hand, the parameter M can not be very large as it 
can not exceed the length of original messages. 

1. Introduction 

Network coding is a novel technique to achieve the maximum multicast throughput, 
which was introduced by Ahlswede et al. (2). It allows the intermediate node to generate 
output data by mixing its received data. In 2003, Li et al. further showed that linear net- 
work coding is sufficient to achieve the optimal throughput in multicast networks. Subse- 
quently, Ho et al. H introduced the concept of random linear network coding, and proved 
that it achieves the maximum throughput of multicast network with high probability. Net- 
work coding is efficiently applicable to numerous forms of network communications, such 
as Internet TV, wireless networks, content distribution networks and P2P networks. Due 
to these advantages, network coding attracts many researchers and has developed very 
quickly. 

However, networks using network coding impose security problems that traditional net- 
works do not face. A particularly important problem is the pollution attack. If some nodes 
in the network are malicious and inject corrupted packets into the information flow, then 
the honest intermediate node mix invalid packet with other packets. According to the rule 
of network coding, the corrupted outgoing packets quickly pollute the whole network and 
cause all the messages to be decoded wrongly in the destination. 
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Recently several related works are proposed to address the pollution attack, such as 
homomorphic hashing, digital signature and message authentication code (MAC). Krohn 
etal. (see also [6 1) used homomorphic hashing function to prevent pollution attacks. Yu 
etal. Q proposed a homomorphic signature scheme based on discrete logarithm and RSA, 
which however was showed insecurely by Yun et al. JU. Charles et al. (9 j gave a signature 
scheme based on Weil pairing over elliptic curves and provided authentication of the data 
in addition to detecting pollution attacks. Zhao et al. ifTUl designed a signature scheme 
that view all blocks of the file as vectors and make use of the fact that all valid vectors 
transmitted in the network should belong to the subspace spanned by the original set of 
vectors from the file. Boneh et al. HI 11 proposed two signature schemes that can be used 
in conjunction with network coding to prevent malicious modification of messages, and 
they showed that their constructions had a lower signature length compared with related 
prior work. Boneh et al. [12 ] constructed a linearly homomorphic signature scheme that 
authenticates vectors with coordinates in the binary field Fa. It is the first such scheme 
based on the hard problem of finding short vectors in integer lattices. Agrawal and Boneh 
lfl3ll designed a homomorphic MAC system that allows checking the integrity of network 
coded data. These works provide computational security (i.e., the attacker's resources are 
limited) in network coding. 

Besides digital signatures and MACs, authentication codes also satisfy the properties 
of authentication. However, authentication code provides unconditional security (i.e., the 
attacker has unlimited computational power). In the multi-receiver authentication model, 
a sender broadcasts an authenticated message such that all the receivers can independently 
verify the authenticity of the message with their own private keys. It requires a security that 
malicious groups of up to a given size of receivers can not successfully impersonate the 
transmitter, or substitute a transmitted message. Desmedt et al. [ 14] gave an authentication 
scheme of single message for multi-receivers. Safavi-Naini and Wang lfT31 extended the 
DFY scheme lfT4ll to be an authentication scheme of multiple messages for multi-receivers. 
Note that their construction was not linear over the base field with respect to the message. 
Oggier and Fathi |[T6l Q] made a little modification of the construction so that the con- 
struction can be used for network coding, which is actually not secure we will show in 
this paper. Tang [17| used homomorphic authentication codes to sign a subspace which 
provide an unconditionally security. In fact, Tang in the same paper had noticed that linear 
authentication codes for linear network is not secure, so he modified the type of substitution 
attack. 

Firstly, we recall the general model of network coding and the definition of subspace 
codes. In the basic multicast model for linear network coding, a source node s generates 
n messages, each consisting of m symbols in the base field F 9 . Let {x\,X2, . . . ,x n ] £ 
F^ xl represent the set of messages. Based on the messages, the source node s transmits 
a message over each outgoing channel. At a node in the network, the symbols on its 
outgoing channel are F 9 -linear combinations of incoming symbols. For a node i, define 
Out(i) = {e E E : e is an outgoing channel of /}, and In{i) — {<? e E : e is an incoming 
channel of i}. If the channel e of network carries packet y(e), where e e Out(i), and i is 
an internal nodes, then y(e) satisfies y(e) = 2dem(i) kd e y(d). The |/n(/)| x \Out(i)\ matrix 
Ki — [kde]dein(i),eeOut(i) is called the local encoding kernel at node i. Note that each y(e) 
is a linear combination of the messages sent by the source node, so there exists a vector 
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f e e F' x " such that 



y(e) = f e X, where X = 



V x„ 



The vector f e is called the global encoding vector of channel e. Given the local encod- 
ing kernels for all the channels in network, the global encoding kernels can be calculated 
recursively in any upstream-to-downstream order as follows 

fe = kdefd ■ 

dein(i) 

Write the received vectors at a node t as a column vector 



A, = (y(e) : e 6 In(t)Y = 



( y(ei) \ 

y(ei) 



y(e e (t)) ) 

where In(t) = {e\,ei,--- , e e ( t )}. Then we have the decoding equation at the node t 

F t -X=A t , 

where 

fe, ^ 

\T 



F, = (f e :e£ In®) 1 
is called the global encoding kernel at the node t. 



fe 2 
V fe em - 



2. The Authentication Scheme of Oggier and Fathi 

Oggier and Fathi constructed an authentication code against pollution and substitution 
attacks in network coding, and they proved that the scheme is unconditional secure under 
some condition. Let us recall their construction and their result about the security analysis. 

• Key generation: A trusted authority randomly generates M + 1 polynomials 
Pq(x),Pi(x), ■ ■ ■ ,Pm(x) g F ? /[x] and choose V distinct values x\,- ■ ■ ,Xy £ F ? z. 
These polynomials are of degree k — 1 , and we denote them by 

Pi(x) = a,,o + a^\x + a,,2* 2 + • • • + a,-jfc_ix* -1 , i = 0, 1, • • ■ , M . 

• Key distribution: The trusted authority gives as private key to the source S the 
M + 1 polynomials (Po(x), • • • , P M (x)), and as private key for each verifier 
the M + 1 valuations of polynomials at x = x ; , namely (Po(X)> ■ ■ ■ > P/aiXi)), i = 
1, 2, • • • , V. The values x\, ■ ■ ■ , x v are made public. The keys can be given to the 
nodes when they sign up for a service protected by this scheme. 

• Authentication tag: Let us assume that the source wants to send n data messages 
s\, 52, • • • ,s„ e F^. Choose and fix an F 9 -linear isomorphism between F^ and F ? ;, 
then consider they have the same elements. The source computes the following 
polynomial in F ? /[x]: 

A s .(x) = P Q (x) + s t Pi{x) + slPi(x) + ■■■ + sf~ l P M (x) 
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which forms the authentication tag of each Si,i= 1, ■ • • , n. Instead of sending the 
original messages s\, S2, ■ ■ • , s n , the source actually sends packets if; of the form 

Xi = [l,Si,A Si (x)] e ¥\ +Uk ', i = 1, • ■ • ,n . 

The security of the authentication scheme above proven by Oggier and Fathi is as fol- 
lows: 

Proposition 2.1 (fl]). Consider a multicast network implementing linear network coding, 
among which nodes V of them are verifying nodes owning a private key for authentication. 
The above scheme is an unconditionally secure network coding authentication code against 
a coalition of up to k — 1 adversaries, possibly among the verifying nodes, in which every 
key can be used to authentication up to M messages, under the assumption that H < M, 
where H is the sum of numbers of the incoming edges at each adversary. 

3. Linear Substitution/Pollution Attacks to their Scheme 

In the security analysis given by Oggier and Fathi, they focused on solving the system of 
linear equations on variables a (J to recover the private key of other node. Actually, notice 
that the authenticated vectors x, above are nearly linear on messages, so we can implement 
linear substitution attack to their scheme. In some papers[??], they have noticed that it 
is not secure to use linear authentication codes on linear network. And they considered 
a new type of substitution attack. Also, they pointed out that the authentication code of 
Oggier and Fathi is non-linear so that it should be still secure. Next, we present our linear 
substitution attack in details. 

Suppose the coalition of malicious verifying nodes can carry out decoding of the net- 
work coding, i.e., the coalition of their global kernels has rank not less than the minimum 
cut of the network, for instance, the coalition of malicious verifying nodes contains one 
destination node. In this case, they can decode the tagged messages sent by the source 
node: 

x.i = [1, Si, A Si (x)] for i = 1,2, •■ ■ , n. 
For any a\, a%, ■ ■ ■ ,a n e F 9 such that 

fli + a% + • ■ • + a n = 1 , 

replace x„ by x* n = YIt=\ a i^i- Next, we show that in this way each verifying node can not 

notice this substitution attack. 

Verification of Linear Substitution Attack: 

The vector of any incoming edge at any node is of the form 

n— 1 n n-l n—1 

^ a t Xi + a n x* n = or;, ^ UjSj + a n s'„, ^ a,A Si (x) + a„A s > n (x)] 

i=l i=l 1=1 i=l 

for some a\,ct2, • ■ ■ , a n € F ? . Then 

Z£, {Z'jZl ajsj + a„s' n f ' Pi(x) + P (x)(Z" j=l aj) 
= ZZi h%l <xjsf + a " s " " ) Pi(x) + P °«(2" = l <*j) 
= Zf =l (E ajsf ' + a„ Z'U a t sf' ) Pi(x) + P„«(£ " j=l a } ) 
= iZx PiW (Z %l <*J*f ' ) + <*« Z£i Pi(x) (Z"=i a,sf ) 
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2"="/ aiA Si {x) + a n A si (x) 

= (Z"=i ^)^o(x) + Z£? Z£i P <« 

+««Z^i (z^ifl^f'jPrW 
= (Zti a ') p 0(x) + Z,=i (Zt7 Qr,-if ' ) P,{x) 

+««Z, M 1 (I! ;</ ; v'; )/',( V. 

for all x € Fj. In other words, it can be verified by any verifying node using his private 
key. 

From the above argument, we can see that any node in the network can easily make 
pollution to the network flow in the way that the node replaces any one or more of the 
vectors he received by linear combinations of his incoming vectors whose coefficients have 
sum 1 and then the node processes the network coding with the new vectors. 

Finally, we point out that even if Oggier and Fathi's scheme can work fruitfully, the 
condition H < M can also be removed. Note that the condition H < M is very critical in 
a network. The proof is similar to the proof given by Oggier and Fathi. They wrote the 
secret parameters A = (a (J ) as a column vector in the order as following 

a = (flo,i,flo,2, • • • ,tfo,Jfc»tfi,i> • • • ,d\,k, • • • ,OM,\,a M ,2, ■ ■ ■ ,a M ,k) T , 

where G T represents the transpose of the matrix G, and they rewrote the system of linear 
equations using a. Then they computed the rank of the coefficient matrix, finally they 
concluded that under the condition H < M the rank of the coefficient matrix is less than 
the number of variables k(M + 1). Actually, if we rewrite the secret parameters A = (a,j) 
as a column vector in the following order 

a = (ao,i,«i,i, • • • ,«M,i,flo,2, • • • ,a M ,2, ■ ■ • ,«o,t»«i,*> 1 ■ 1 ,a M ,kf ■ 

Then we obtain a new system of linear equations on ay using a'. In this way, we can easily 
show that the rank of the coefficient matrix is always less than the number of variables. So 
the system of linear equations does always have solutions. Next, we give the details. 

Suppose a group of K malicious nodes collaborate to recover A and make a substitution 
attack. Without loss of generality, we assume that the malicious nodes are R\,R2,- - ,Rk- 
Suppose the global encoding kernel at the verifying node R t is 



h (0 
"u 

h (,) 

"2,1 



"1.2 

h {!) 
"2,2 



hf ^ 

1. n 

hf 

2, n 
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Each Ri has some information about the secret parameter matrix A = (atj): 



yn r (0 yn rW yn rW a 

2-7=1 n hj 2-7=1 "l./j ^7=1 "l,/; 



(0 



V" 1,(0 yn uW . yn . w • 
2, 7=1 "2,7 2, 7=1 "2j J 2, 7=1 "2,7"\ 



(0 



yn 1,(0 yn rl(J yn ri(J „« . 

V 2,7=1 n e(i)J 2, j=1 n e&J Sj 2,7=1 n e(i),j S j 



(0 



(0 



2,7=1 n^/j 
yn zJ 

2, i=l «; 



(0 <T 
2,j S j 



y h (i) s""' 1 

2^7=1 n e(i),j S j 

r j=l hfjL k (sj) 
r j=l hfL k ( Sj ) 



and 



f 1 ' 




{ Po(xd ) 


Xi 




Pi(xd 






\ Pm(Xi) , 



The group of malicious nodes combines their equations, and they get a system of linear 
equations 



(1) 



' D1 ) 




' Ci N 




■A = 




, D K , 




, Ck I 



( 1 1 



1 ^ 



where 



I v» j,(0 



yn l,W yn , (i) . yn , w q 
^7=1 "l,7 ^7=1 n i,fJ 2-7=1 "l,7 7 



P (xi) P (X 2 ) 
Pi(xi) Pi(x 2 ) 

Pm{x\) Pm(X2) 

n 1,(0 r 9 ... 



yn 1,(0 yn ■ W . yn iAl) q 
2, 7=1 "2,7 2, 7=1 »2,7 i 7 2, 7=1 "2,7*7 



(0 . 



Z,(0 „9 



••• P (*r) ) 
Pm(xk) , 

2,7=1 «i,/ 7 



yn 1,(0 yn rlij yn rUJ . 

V 2,7=1 « e(i) j 2,7=1 n eQ),j S J 2,7=1 « e (0,7 S 



1,(0 



(0 .9 
7 



yn r(0 -<?"' 
2,7=1 « 2 ,7 S 7 

yn h d) Q' 
2-7=1 'VO./j / 



and 



1 xi ;//;;;/,(, ; » z^i^) 



(0 



(,(0 



(0 



lZ]=i^/i(^) Z^iA^W ••• Z^i^Wi 



-"i 1,(0 



(0 



Denote 



1 si 
1 s, s« 
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Then 



A = Hi ■ S n 



Lemma 3.1. If K < k - 1, then there exists exact q ,( - M+l r °^ k K > matrices A satisfying the 
system of equations (0), where 



ro = rank 



H X S n \\ 

HkS„ , 



Proof. Recall the system (Q~|) 



' ffiS, ' 




' Ci s 




• A = 




, HkS„ , 






( 1 


1 





1 ^ 



xl J 



Pm(xi) 



Po(xk) ^ 
Pi(x K ) 

Pm(x k ) 



Rewrite the matrix A of variables as a single column of k(M +1) variables. Then the 
system (Q~|) becomes 



(2) 



H\S n 














H\S„ 




























H\S„ 


HkS „ 














HkS n 




























HkS„ 



Im+i *l^M+l 

Im+i X2IM+1 
Im+i xkIm+i 



x\ 1 Im+\ 

X 2 l M+\ 



k-\ 7 

X K lM+\ J \ a M,k ) 



{ «0,1 ^ 
«1,1 

ao,2 

«I,2 

ao,k 
a\,k 



= T 



where Im+i is the identity matrix with rank (M +1) and T is the column vector of the 
constant terms in system ([1) with proper order. Notice that 



ro = rank 



H l S„ V 

HlSn 

HkS„ j 



rank 



Hi \ 
H 2 

Hk j 



S n 



< min • 



rank 



Hk 1 
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Also note that rows of 

' H r S n > 
V HkS„ , 

is contained in the space F^ +1 generated by x^Im+i if x, + 0. So the rank of the coefficient 
matrix of System © to 

r k + (M + 1 - r )K 
which is less than the number of variables k(M + 1). So the system has 

l(k(M+l)-(r k+(M+l-r )K)) _ l(M+l-r )(k-K) 

solutions, i.e., the system ([TJ has q l ( M+l - r o)(k-K) so i u ti ns. □ 

4. Conclusion 

In this paper, we discuss the security of the authentication code given by Oggier and 
Fathi and show our linear attack to their scheme, although it looks like non-linear. So we 
point out that as the technique of linear network develops very fast, and it has invaded a lot 
in our daily life, such as Internet TV, wireless networks, content distribution networks, P2P 
networks and distributed file system, to give an efficient and unconditional secure authenti- 
cation code for linear network against the original substitution/pollution attack considered 
by Oggier and Fathi is extremely urgent. 
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